b"Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n       DHS' Progress in Addressing Technical \n\n        Security Challenges at Washington \n\n            Dulles International Airport \n\n                    (Redacted)\n\n\n\n\n\n Notice: The Department of Homeland Security, Office of the Inspector General has redacted this report for public\n release. A review under the Freedom of Information Act (5 U.S.C. 552), will be conducted upon request.\n\n\n\n\nOIG-09-66                                                                                           May 2009\n\x0c                                                            Office of Inspector General\n\n                                                            U.S. Department of Homeland Security\n                                                            Washington, DC 25028\n\n\n\n\n                                      May 7, 2009\n\n\n                                         Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by amendment\nto the Inspector General Act of 1978. This is one of a series of audit, inspection, and\nspecial reports prepared as part of our oversight responsibilities to promote economy,\nefficiency, and effectiveness within the department.\n\nThis report addresses DHS\xe2\x80\x99 progress in strengthening technical and information security\npolicies and procedures at Washington Dulles International Airport in Virginia. It is\nbased on interviews with employees and officials of relevant agencies and institutions,\ndirect observations, and a review of applicable documents.\n\nThe recommendations herein have been developed to the best knowledge available to our\noffice, and have been discussed in draft with those responsible for implementation. We\ntrust this report will result in more effective, efficient, and economical operations. We\nexpress our appreciation to all who contributed to the preparation of this report.\n\n\n\n\n                                     Richard L. Skinner \n\n                                     Inspector General \n\n\x0cTable of Contents/Abbreviations \n\nExecutive Summary .............................................................................................................1\n\n\nBackground ..........................................................................................................................2 \n\n\nResults of Review ................................................................................................................4 \n\n  CBP\xe2\x80\x99s IT Security Controls Improve, But More Work Is Needed .................................4 \n\n  Recommendations...........................................................................................................9 \n\n  Management Comments and OIG Analysis .................................................................10 \n\n\n    TSA\xe2\x80\x99s IT Security Controls Improve, But More Work Is Needed ...............................11 \n\n    Recommendations.........................................................................................................14\n\n    Management Comments and OIG Analysis .................................................................15 \n\n\nAppendices\n   Appendix A:          Purpose, Scope, and Methodology..........................................................16 \n\n   Appendix B:          CBP\xe2\x80\x99s Management Comments to the Draft Report ...............................18 \n\n   Appendix C:          TSA\xe2\x80\x99s Management Comments to the Draft Report ...............................20 \n\n   Appendix D:          CBP Single Points of Failure at IAD ......................................................24\n\n   Appendix E:          Major Contributors to This Report ..........................................................25 \n\n   Appendix F:          Report Distribution ..................................................................................26 \n\n\nAbbreviations\n     CBP                                    U.S. Customs and Border Protection      \n\n     CIO                                    Chief Information Officer     \n\n     DHS                                    Department of Homeland Security       \n\n     DHS 4300A Handbook                     DHS Sensitive Systems Handbook \n\n     DHS Directive 4300A                    DHS Sensitive Systems Policy Directive 4300A \n\n     IAD                                    Washington Dulles International Airport     \n\n     IT                                     Information Technology      \n\n     LAN                                    Local Area Network \n\n     OIG                                    Office of Inspector General     \n\n     POA&M                                  Plan of Action and Milestones     \n\n     SSL                                    Secure Socket Layer     \n\n     TCP                                    Transmission Control Protocol       \n\n     TSA                                    Transportation Security Administration    \n\n     UDP                                    User Datagram Protocol      \n\n     UPS                                    Uninterruptible Power Supply      \n\n\x0cOIG\n\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                         We initiated a program to determine the extent to which critical\n                         Department of Homeland Security sites comply with the\n                         department\xe2\x80\x99s technical and information security policies and\n                         procedures. In January 2007, we reported that information\n                         technology security controls implemented by U.S. Customs and\n                         Border Protection and the Transportation Security Administration\n                         at Washington Dulles International Airport had deficiencies that, if\n                         exploited, could result in the loss of confidentiality, integrity, and\n                         availability of the automated systems used to perform their\n                         mission-critical activities. We also identified actions that these\n                         components could take to improve information technology\n                         security.\n\n                         We conducted a follow-up evaluation to determine whether\n                         corrective actions for the reported weaknesses had been\n                         implemented, and whether those actions comply with the\n                         department\xe2\x80\x99s and components\xe2\x80\x99 technical and information security\n                         policies and procedures. We performed onsite verification of the\n                         corrective actions, interviewed department staff, and conducted\n                         technical tests of internal controls.\n\n                         The department has made significant progress in improving\n                         technical security for information technology assets at Dulles.\n                         However, further work is needed to comply with government\n                         policies and procedures. For example, both components need to\n                         make additional improvements in their operational controls over\n                         the physical security of their information technology. We are also\n                         recommending improvements in technical controls, including\n                         updating servers with the latest release of the operating system\n                         software. Implementation of these additional measures will\n                         increase the technical security of departmental information\n                         technology assets at Dulles.\n\n\n\n\n  DHS\xe2\x80\x99 Progress in Addressing Technical Security Challenges at Washington Dulles International Airport\n                                              (Redacted)\n\n                                                Page 1\n\x0cBackground\n                        We designed our Technical Security Evaluation Program to\n                        provide senior Department of Homeland Security (DHS) officials\n                        with timely information on whether they had properly\n                        implemented DHS information technology (IT) security policies at\n                        critical sites. Our program is based on DHS Sensitive Systems\n                        Policy Directive 4300A (DHS Directive 4300A), which applies to\n                        all DHS components. It provides direction to managers and senior\n                        executives regarding the management and protection of sensitive\n                        systems. DHS Directive 4300A also outlines policies relating to\n                        the operational, technical, and management controls that are\n                        necessary for ensuring confidentiality, integrity, availability,\n                        authenticity, and no repudiation within the DHS IT infrastructure\n                        and operations. A companion document\xe2\x80\x94DHS 4300A Sensitive\n                        Systems Handbook (DHS 4300A Handbook)\xe2\x80\x94provides detailed\n                        guidance on the implementation of these policies.\n\n                        DHS IT security policies are organized under management,\n                        operational, and technical controls. According to DHS Directive\n                        4300A, these controls are defined as follows:\n\n                        \xef\xbf\xbd\t Operational Controls \xe2\x80\x93 Focus on mechanisms primarily\n                           implemented and executed by people. These controls are\n                           designed to improve the security of a particular system or\n                           group of systems. These controls require technical or\n                           specialized expertise and often rely on management and\n                           technical controls.\n                                                       **********\n                        \xef\xbf\xbd\t Technical Controls \xe2\x80\x93 Focus on security controls executed by\n                           IT systems. These controls provide automated protection from\n                           unauthorized access or misuse. They facilitate detection of\n                           security violations and support security requirements for\n                           applications and data.\n                                                      **********\n                        \xef\xbf\xbd\t Management Controls \xe2\x80\x93 Focus on managing both the IT\n                           security system and system risk. These controls consist of risk\n                           mitigation techniques and concerns normally addressed by\n                           management.\n\n                        U.S. Customs and Border Protection (CBP) and the Transportation\n                        Security Administration (TSA) each have activities at Washington\n                        Dulles International Airport (IAD), a port of entry located in\n                        Chantilly, VA. Both CBP and TSA rely on a range of IT assets to\n                        support their respective missions.\n\n DHS\xe2\x80\x99 Progress in Addressing Technical Security Challenges at Washington Dulles International Airport\n                                             (Redacted)\n\n                                               Page 2\n\x0c                           CBP processes passengers and baggage on arriving international\n                           flights at IAD by using information systems that include United\n                           States Visitor and Immigrant Status Indicator Technology,\n                           Automated Biometric Identification Systems, Custom\n                           Modernization Prime Integration, and other secondary systems.\n                           The CBP activities at IAD are conducted at the Main\n                           Terminal-International Arrivals, C Terminal/Midfield, B Terminal,\n                           Cargo Inspections, and two private terminals.\n\n                           TSA also has operations at various buildings at IAD, including the\n                           main terminal and a commercial office building. TSA activities\n                           include screening passengers and baggage on all departing flights\n                           at IAD.\n\n                           In January 2007, we reported that the IT security controls\n                           implemented by CBP and TSA at IAD had deficiencies that, if\n                           exploited, could result in the loss of confidentiality, integrity, and\n                           availability of the IT systems on which CBP and TSA rely to\n                           perform their mission-critical activities. 1 Specifically, we reported\n                           that CBP and TSA needed to improve operational, technical, and\n                           management controls for their IT assets at IAD. Based on these\n                           findings, we recommended that the DHS Chief Information\n                           Security Officer instruct CBP and TSA to:\n\n                           \xef\xbf\xbd\t Strengthen operational controls at CBP and TSA facilities at\n                              IAD.\n                           \xef\xbf\xbd\t Apply necessary software upgrades in a timely and expeditious\n                              manner.\n                           \xef\xbf\xbd\t Prepare the necessary plan of action and milestones (POA&M)\n                              to resolve known and reported deficiencies in IT Security.\n                           \xef\xbf\xbd\t Ensure that all systems, wireless communications, and group\n                              users\xe2\x80\x99 ID are appropriately authorized to operate.\n\n                           The objective of this evaluation was to determine whether\n                           corrective actions for the reported weaknesses had been\n                           implemented, and whether those actions comply with the\n                           department\xe2\x80\x99s and components\xe2\x80\x99 technical and information security\n                           policies and procedures.\n\n\n\n\n1\n Technical Security Evaluation of DHS Activities at Dulles International Airport, OIG-07-25,\nJanuary 2007.\n\n    DHS\xe2\x80\x99 Progress in Addressing Technical Security Challenges at Washington Dulles International Airport\n                                                (Redacted)\n\n                                                  Page 3\n\x0cResults of Review \n\n       CBP\xe2\x80\x99s IT Security Controls Improve, But More Work Is Needed\n                CBP\xe2\x80\x99s IT security controls have improved at IAD, but more work is\n                needed to comply with DHS policies and procedures. Specifically, CBP\n                improved its operational, technical, and management controls for IT\n                equipment. For example, CBP implemented adequate POA&Ms to\n                effectively address previously reported IT deficiencies at IAD.\n                Additionally, group user accounts were disabled and all CBP systems\n                were authorized to operate. Further, CBP disabled inactive physical ports\n                on its routers and switches at IAD.\n\n                However, more work is needed to address physical and environmental\n                control deficiencies. CBP also needs to implement technical controls to\n                ensure that it is using the most current version of operating systems.\n                Further, CBP should ensure that system documentation includes\n                information concerning vulnerabilities and accepted risks.\n\n                Collectively, these deficiencies could place at risk the confidentiality,\n                integrity, and availability of the data stored, transmitted, and processed by\n                CBP at IAD.\n\n                         Operational Controls\n\n                         CBP improved operational controls to comply with DHS policies.\n                         Specifically, CBP implemented temperature and humidity sensors,\n                         added a second telecommunications circuit for path redundancy,\n                         and disabled unused physical ports on the routers and switches at\n                         IAD. However, CBP needs to do more to address operational\n                         control deficiencies. For example, physical security control\n                         improvements are needed to prevent unauthorized access to\n                         telecommunications equipment. CBP also needs to improve\n                         business continuity capabilities for times when power or\n                         telecommunications outages affect IAD.\n\n\n\n\n  DHS\xe2\x80\x99 Progress in Addressing Technical Security Challenges at Washington Dulles International Airport\n                                              (Redacted)\n\n                                                Page 4\n\x0c                       Physical Security Controls\n\n                       CBP needs to improve physical security controls to prevent\n                       unauthorized access to IT resources. For example, CBP has\n                       telecommunications equipment in a room shared with non-DHS\n                       tenants. While this room is locked, it is not under the control of\n                       CBP officials, non-CBP staff has access keys, and the CBP\n                       telecommunications equipment is not in a locked cabinet.\n\n                       CBP telecommunications equipment in a waiting room is not\n                       properly secured in a locked cabinet. This room is used by\n                       international passengers waiting for CBP personnel to process\n                       them for entry into the country. See figure 1.\n\n\n\n\n                          Figure 1: Unsecured CBP telecommunications equipment on a wall in an\n                                          international passenger waiting room.\n\n\n\n\n                                                                                                       .\n                       Further, CBP is not using the visitors\xe2\x80\x99 sign-in logs that are now\n                       installed in all of its local area network (LAN) and\n                       telecommunications rooms.\n\n\n\n\nDHS\xe2\x80\x99 Progress in Addressing Technical Security Challenges at Washington Dulles International Airport\n                                            (Redacted)\n\n                                              Page 5\n\x0c                           According to the DHS 4300A Handbook:\n\n                                    \xe2\x80\x9cAccess to DHS buildings, rooms, work areas, spaces, and\n                                    structures housing IT systems, equipment, and data shall be\n                                    limited to authorized personnel.\xe2\x80\x9d\n\n                                    \xe2\x80\x9cControls for deterring, detecting, restricting, and\n                                    regulating access to sensitive areas shall be in place and\n                                    will be sufficient to safeguard against possible loss, theft,\n                                    destruction, damage, hazardous conditions, fire, malicious\n                                    actions and natural disasters.\xe2\x80\x9d\n\n                                    \xe2\x80\x9cVisitors log should be maintained and available for one\n                                    year.\xe2\x80\x9d\n\n                           Business Continuity Capability\n\n                           CBP has taken steps to ensure continued passenger processing\n                           during communications or power outages. For example, CBP\n                           improved its business continuity capability by installing new\n                           telecommunications lines and circuits at IAD. Specifically, two\n                           circuits were installed, each with a different end point and each\n                           from a different vendor. Routers at the two end-point locations\n                           will be load-balanced and will provide redundancy for each other.\n                           These actions are in response to our January 2007 report\n                           concerning the lack of data communication redundancy.\n\n                           CBP also has allocated funding to critical border sites to purchase\n                           computers for emergency conditions. The IAD allocation allowed\n                           for the purchase of 17 computers that can be used to process\n                           passengers during a power failure or if the telecommunications\n                           connection to the CBP data center is not available. In April 2008,\n                           CBP staff cited the emergency computers as a compensating\n                           control in an exception request for accepting the risk associated\n                           with a cutoff of telecommunications services at IAD. 2\n\n                           However, CBP currently has 65 Primary Passenger Processing\n                           Lanes at IAD for 100% passenger-processing capacity. Going\n                           from 65 lanes for processing passengers to 17 lanes with\n                           emergency computers would reduce CBP\xe2\x80\x99s passenger-processing\n                           capability by 74%.\n\n\n\n2\n The CBP information systems security manager has not approved any of the exception or waiver requests\nfor IAD that are cited in this report.\n\n    DHS\xe2\x80\x99 Progress in Addressing Technical Security Challenges at Washington Dulles International Airport\n                                                (Redacted)\n\n                                                  Page 6\n\x0c                       Additionally, CBP has not completed all corrective actions to\n                       comply with DHS policies and procedures. For example, each\n\n                       (see Appendix D). In April 2008, CBP staff prepared a 6-month\n                       waiver request to accept this risk while CBP installed the\n                       equipment to resolve this deficiency.\n\n                       Further, CBP has not developed plans to resolve all reported\n                       deficiencies. For example, CBP does not have a backup power\n                       supply for any of its buildings at IAD. Although CBP has installed\n                       uninterruptible power supply (UPS) devices for all of its servers,\n                       routers, and switches at IAD, these devices provide power only for\n                       a limited period. UPS devices are not sufficient for the purpose of\n                       operating CBP workstations following a power failure. However,\n                       according to CBP staff, a backup power supply is unnecessary as\n                       IAD receives power from two separate power substations.\n\n                       CBP also does not have plans to remediate other operational\n                       control deficiencies at IAD. For example, in April 2008, CBP staff\n                       prepared policy exception requests accepting the risk\n\n\n\n                       According to the DHS 4300A Handbook:\n\n                                \xe2\x80\x9cDHS must have the capability to ensure continuity of\n                                essential function under all circumstances.\xe2\x80\x9d\n\n                                \xe2\x80\x9cFor larger and more critical systems it may be appropriate\n                                to have an electrical generator available for the most\n                                critical of operational requirements.\xe2\x80\x9d\n\n\n\n\nDHS\xe2\x80\x99 Progress in Addressing Technical Security Challenges at Washington Dulles International Airport\n                                            (Redacted)\n\n                                              Page 7\n\x0c                       Environmental Controls\n\n                       CBP does not regularly maintain and monitor the temperature and\n                       humidity levels within its LAN rooms and telecommunications\n                       closets at IAD. Specifically, many of CBP\xe2\x80\x99s telecommunications\n                       rooms had temperatures that exceeded 70 degrees Fahrenheit.\n                       Additionally, on our June 2008 walk-through, we observed some\n                       ad hoc ventilation methods in use, including floor fans and a\n                       portable air conditioning unit.\n\n                       According to the DHS 4300A Handbook:\n\n                                \xe2\x80\x9cTemperature in computer storage areas should be held\n                                between 60 and 70 degrees Fahrenheit.\xe2\x80\x9d\n\n                       Inadequate heating, ventilation, and air conditioning capability in\n                       these telecommunications closets increases the risk of damage to\n                       CBP IT assets.\n\n                       CBP purchased and installed several temperature and humidity\n                       sensors at IAD in response to our January 2007 report. CBP also\n                       provided information on plans to install IT cabinets that contain\n                       fans. In April 2008, CBP staff prepared an exception request\n                       accepting the risk associated with a lack of environmental\n                       monitoring.\n\n                       Technical Controls\n\n                       We determined that CBP has improved its technical controls for\n                       servers at IAD, but more work is needed to comply with DHS\n                       policies. For example, CBP disabled inactive physical ports on its\n                       routers and switches at IAD. However, CBP also needs to improve\n                       its technical controls by:\n\n\n\n\n                           \xef\xbf\xbd\n\n                       Additionally, CBP Novell servers had open logical ports with\n                       known vulnerabilities that were not documented in the site risk\n                       assessment. Unnecessary open ports and services increase the risk\n                       that malicious users may compromise CBP systems or allow\n                       external attacks.\n\n\nDHS\xe2\x80\x99 Progress in Addressing Technical Security Challenges at Washington Dulles International Airport\n                                            (Redacted)\n\n                                              Page 8\n\x0c                                                                                        CBP\n                           personnel told us that they recognize the vulnerabilities associated\n                           with these open ports and that they used the firewall as a\n                           compensating control to block the threats associated with these\n                           ports. 3 However, CBP has not documented the acceptance of this\n                           risk and the associated compensating controls in the site-specific\n                           security plans or risk assessments.\n\n                           According to DHS Directive 4300A:\n\n                                    \xe2\x80\x9cComponents shall manage systems to reduce\n                                    vulnerabilities through vulnerability testing, promptly\n                                    installing patches, and eliminating or disabling unnecessary\n                                    services, if possible.\xe2\x80\x9d\n\n                           Management Controls\n\n                           CBP resolved the management control deficiencies we reported in\n                           January 2007. We did not identify any additional management\n                           control deficiencies.\n\n                  Recommendations\n                           We recommend that the CBP Chief Information Officer (CIO) take\n                           the following actions for CBP activities at IAD:\n\n                           Recommendation #1: Implement physical security and\n                           environmental controls to compensate for reported deficiencies.\n\n                           Recommendation #2: Implement business continuity capabilities\n                           to compensate for reported deficiencies.\n\n                           Recommendation #3: Implement and document technical\n                           controls and processes to compensate for reported deficiencies.\n\n\n\n\n3\n  CBP staff provided evidence that the firewalls block these ports. However, we did not independently test\nthese firewalls.\n\n    DHS\xe2\x80\x99 Progress in Addressing Technical Security Challenges at Washington Dulles International Airport\n                                                (Redacted)\n\n                                                  Page 9\n\x0c              Management Comments and OIG Analysis\n              CBP concurred with recommendations 1 through 3. These\n              recommendations will be considered resolved but open pending\n              verification of all planned actions.\n\n\n\n\nDHS\xe2\x80\x99 Progress in Addressing Technical Security Challenges at Washington Dulles International Airport\n                                            (Redacted)\n\n                                              Page 10\n\x0c     TSA\xe2\x80\x99s IT Security Controls Improve, But More Work Is Needed\n              TSA\xe2\x80\x99s IT security controls have improved at IAD, but more work is\n              needed to comply with DHS policies and procedures. Specifically, TSA\n              improved its operational, technical, and management controls for IT\n              equipment. For example, operational controls at IAD were strengthened\n              with the installation of locked cabinets, camera surveillance, and card\n              readers for doors. TSA also reinforced its technical security controls by\n              updating the secure socket layer (SSL) certificate for its servers at IAD.\n              Additionally, TSA strengthened management controls by streamlining the\n              TSANet system POA&Ms. Further, TSA updated the TSANet system\n              boundaries to include the Office of Emergency Preparedness\xe2\x80\x99 server at\n              IAD.\n\n              However, more work is needed to address our previously reported\n              deficiencies. Specifically, TSA needs to take steps to restrict access to IT\n              equipment at IAD and to strengthen technical security controls.\n\n                       Operational Controls\n\n                       We reported previously that TSA had not provided sufficient\n                       physical security to prevent unauthorized access to TSA\n                       telecommunications closets and desktop computers at IAD. Since\n                       then, TSA has improved physical security controls by\n                       implementing the use of locked cabinets, camera surveillance, and\n                       entry/exit card readers. However, additional physical security\n                       controls are still needed in several areas at IAD. For example,\n                       TSA could strengthen controls to restrict access to its\n                       telecommunications closet and a workstation in a passenger\n                       screening area. Additionally, TSA should remove excess IT\n                       equipment and boxes in its IAD LAN room. See figure 2.\n\n\n\n\nDHS\xe2\x80\x99 Progress in Addressing Technical Security Challenges at Washington Dulles International Airport\n                                            (Redacted)\n\n                                              Page 11\n\x0c                                      Figure 2: Excess equipment stored in LAN room.\n\n                       TSA has moved some of the excess equipment and restacked or\n                       relocated boxes. Additionally, TSA has added a visitor log to the\n                       room. Further, TSA provided detailed plans, flooring diagrams,\n                       and pictures of a \xe2\x80\x9ccage structure\xe2\x80\x9d that TSA plans to purchase to\n                       protect its IT equipment from harm. However, actual construction\n                       of the cage has not started.\n\n                       TSA telecommunications equipment located in a commercial\n                       office building basement at IAD was not properly secured in a\n                       locked cabinet\n\n                                                                            Access to\n                       this room and to TSA\xe2\x80\x99s telecommunications equipment should be\n                       controlled and limited.\n\n                       Further, a workstation at IAD was not properly secured. (See\n                       figure 3.) This workstation was adjacent to a TSA passenger\n                       screening exit area, and its computer terminal connections were\n                       clearly visible and accessible to the public.\n\n\n\n\nDHS\xe2\x80\x99 Progress in Addressing Technical Security Challenges at Washington Dulles International Airport\n                                            (Redacted)\n\n                                              Page 12\n\x0c                             Figure 3: Unsecured workstation in TSA passenger screening area.\n\n                       According to the DHS 4300A Handbook:\n\n                                \xe2\x80\x9cControls for deterring, restricting, and regulating access to\n                                sensitive areas shall be in place and will be sufficient to\n                                safeguard against possible loss, theft, destruction, damage,\n                                hazardous conditions, fire, malicious actions, and natural\n                                disasters.\xe2\x80\x9d\n\n                       Technical Controls\n\n                       TSA strengthened its technical controls at IAD, but additional\n                       work is needed. For example, TSA corrected three of the six\n                       technical control deficiencies that we reported in January 2007.\n\n\n\n\n                       Unnecessary open ports and services increase the risk that\n                       malicious users may compromise TSA systems or allow external\n                       attacks. Additionally, operating systems that do not receive\n                       required updates or patches are vulnerable and can be easily\n                       exploited.\n\n\n\n\nDHS\xe2\x80\x99 Progress in Addressing Technical Security Challenges at Washington Dulles International Airport\n                                            (Redacted)\n\n                                              Page 13\n\x0c                                                                               .\n\n                           According to the DHS Directive 4300A:\n\n                                    \xe2\x80\x9cComponents shall manage systems to reduce\n                                    vulnerabilities through vulnerability testing, promptly\n                                    installing patches, and eliminating or disabling unnecessary\n                                    services, if possible.\xe2\x80\x9d\n\n                           Management Controls\n\n                           TSA resolved the management control deficiencies we reported in\n                           January 2007. We did not identify any additional management\n                           control deficiencies.\n\n                  Recommendations\n                           We recommend that the TSA CIO take the following actions for\n                           TSA activities at IAD:\n\n                           Recommendation #4: Implement physical security and\n                           environmental controls to compensate for reported deficiencies in\n                           TSA\xe2\x80\x99s LAN rooms, telecommunications closets, and airport\n                           passenger screening workstation desks.\n\n                           Recommendation #5: Implement and document technical\n                           controls and processes to compensate for reported deficiencies.\n\n                           Recommendation #6: Apply the necessary operating system\n                           updates to systems operating at IAD.\n\n\n\n\n4\n  TSA staff provided evidence that the firewalls block these ports. However, we did not independently test\nthese firewalls.\n\n    DHS\xe2\x80\x99 Progress in Addressing Technical Security Challenges at Washington Dulles International Airport\n                                                (Redacted)\n\n                                                  Page 14\n\x0c              Management Comments and OIG Analysis\n                       TSA concurred with recommendations 4 through 6. These\n                       recommendations will be considered resolved but open pending\n                       verification of all planned actions.\n\n\n\n\nDHS\xe2\x80\x99 Progress in Addressing Technical Security Challenges at Washington Dulles International Airport\n                                            (Redacted)\n\n                                              Page 15\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n                             As part of our program to evaluate, on an ongoing basis, the\n                             implementation of DHS technical and information security policies\n                             and procedures at DHS sites, we conducted a follow-up review of\n                             DHS\xe2\x80\x99 efforts to strengthen IT security controls at IAD. The\n                             objectives of this review were to determine whether:\n\n                                 \xef\xbf\xbd\t The DHS components had implemented action plans to\n                                    correct the weaknesses we reported, and\n                                 \xef\xbf\xbd\t Those action plans complied with the department\xe2\x80\x99s\n                                    technical and information security policies and procedures\n                                    according to DHS Directive 4300A and its companion\n                                    document, the DHS 4300A Handbook.\n\n                             Our entrance and exit conferences were held with CBP and TSA\n                             officials. Follow-up technical evaluations were conducted. DHS\n                             components and OIG staff monitored security scans of the servers\n                             using various software packages. Additionally, OIG staff\n                             conducted scans to determine whether DHS components at IAD\n                             were using wireless devices. 5\n\n                             We reviewed applicable DHS and DHS component policies and\n                             procedures, previously reported deficiencies, and corrective action\n                             plans for the OIG reported weaknesses. Before performing our\n                             onsite review, we used the components\xe2\x80\x99 action plans and status\n                             updates to identify the applicable locations for the IT assets, the\n                             appropriate staff to interview, and where to conduct the technical\n                             test for internal controls. Our onsite review included a physical\n                             review of CBP and TSA space and interviews with the appropriate\n                             staff. Our technical review included onsite reviews of server\n                             security policies. Additionally, we reviewed guidance provided by\n                             DHS to the components regarding patch management, operation\n                             systems, and wireless security.\n\n                             We provided both CBP and TSA with briefings concerning the\n                             results of fieldwork and the information summarized in this report.\n                             We conducted this review between June and October 2008.\n\n                             We performed our work according to the Quality Standards for\n                             Inspection of the President\xe2\x80\x99s Council on Integrity and Efficiency\n                             and pursuant to the Inspector General Act of 1978, as amended.\n\n                             We appreciate the efforts of DHS management and staff to provide\n                             the information and access necessary to accomplish this review.\n\n5\n    We did not find any wireless devices being used by CBP or TSA at IAD.\n\n      DHS\xe2\x80\x99 Progress in Addressing Technical Security Challenges at Washington Dulles International Airport\n                                                  (Redacted)\n\n                                                    Page 16\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n                         Our points of contact for this report are Frank Deffer, Assistant\n                         Inspector General for Information Technology, (202) 254-4100,\n                         and Sharon Huiswoud, Director for Information Systems\n                         (202) 254-5441. Major OIG contributors to the review are\n                         identified in Appendix E.\n\n\n\n\n  DHS\xe2\x80\x99 Progress in Addressing Technical Security Challenges at Washington Dulles International Airport\n                                              (Redacted)\n\n                                                Page 17\n\x0cAppendix B\nCBP\xe2\x80\x99s Management Comments to the Draft Report\n\n\n\n\n  DHS\xe2\x80\x99 Progress in Addressing Technical Security Challenges at Washington Dulles International Airport\n                                              (Redacted)\n\n                                                Page 18\n\x0cAppendix B\nCBP\xe2\x80\x99s Management Comments to the Draft Report\n\n\n\n\n  DHS\xe2\x80\x99 Progress in Addressing Technical Security Challenges at Washington Dulles International Airport\n                                              (Redacted)\n\n                                                Page 19\n\x0cAppendix C\nTSA\xe2\x80\x99s Management Comments to the Draft Report\n\n\n\n\n  DHS\xe2\x80\x99 Progress in Addressing Technical Security Challenges at Washington Dulles International Airport\n                                              (Redacted)\n\n                                                Page 20\n\x0cAppendix C\nTSA\xe2\x80\x99s Management Comments to the Draft Report\n\n\n\n\n  DHS\xe2\x80\x99 Progress in Addressing Technical Security Challenges at Washington Dulles International Airport\n                                              (Redacted)\n\n                                                Page 21\n\x0cAppendix C\nTSA\xe2\x80\x99s Management Comments to the Draft Report\n\n\n\n\n  DHS\xe2\x80\x99 Progress in Addressing Technical Security Challenges at Washington Dulles International Airport\n                                              (Redacted)\n\n                                                Page 22\n\x0cAppendix C\nTSA\xe2\x80\x99s Management Comments to the Draft Report\n\n\n\n\n  DHS\xe2\x80\x99 Progress in Addressing Technical Security Challenges at Washington Dulles International Airport\n                                              (Redacted)\n\n                                                Page 23\n\x0cAppendix D\nCBP Single Points of Failure at IAD\n\n\n\n\n  DHS\xe2\x80\x99 Progress in Addressing Technical Security Challenges at Washington Dulles International Airport\n                                              (Redacted)\n\n                                                Page 24\n\x0cAppendix E \n\nMajor Contributors to This Report.\n\n\n\n                         Sharon Huiswoud, Director, Department of Homeland Security,\n                         Information Technology Audits\n\n                         Kevin Burke, Audit Manager, Department of Homeland Security,\n                         Information Technology Audits\n\n                         Beverly Dale, Senior Auditor, Department of Homeland Security,\n                         Information Technology Audits\n\n                         Frederick Shappee, Program Analyst, Department of Homeland\n                         Security, Information Technology Audits\n\n                         Ravi Jindal, Management and Program Assistant, Department of\n                         Homeland Security, Information Technology Audits\n\n                         Kia Smith, Referencer\n\n\n\n\n  DHS\xe2\x80\x99 Progress in Addressing Technical Security Challenges at Washington Dulles International Airport\n                                              (Redacted)\n\n                                                Page 25\n\x0cAppendix F\nReport Distribution\n\n\n                         Department of Homeland Security\n\n                         Secretary\n                         Deputy Secretary\n                         Chief of Staff for Operations\n                         Chief of Staff for Policy\n                         Acting General Counsel\n                         Executive Secretariat\n                         Director, GAO/OIG Liaison Office\n                         Assistant Secretary for Office of Policy\n                         Assistant Secretary for Office of Public Affairs\n                         Assistant Secretary for Office of Legislative Affairs\n                         DHS Component Liaison\n                         DHS Chief Information Officer\n                         CBP Chief Information Officer\n                         TSA Chief Information Officer\n\n                         Office of Management and Budget\n\n                         Chief, Homeland Security Branch\n                         DHS OIG Budget Examiner\n\n                         Congress\n\n                         Congressional Oversight and Appropriations Committees, as\n                         appropriate\n\n\n\n\n  DHS\xe2\x80\x99 Progress in Addressing Technical Security Challenges at Washington Dulles International Airport\n\n                                                Page 26\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4199,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c"